Re: tunnelling -- best practices
Paul Johnson <baloo@ursine.dyndns.org> writes:
> On Tue, Feb 18, 2003 at 11:30:54PM -0500, jereme wrote:
> > Some of this is preference. I find, I myself prefer to build a tunnel
> > to remote networks. Having a routable link provides much more
> > flexibility than remote login.
>
> What's your method for doing this? I've made a couple half-assed
> attempts at setting up a PPTP VPN so I and my users can connect to my
> network remotely when need be.
For net-to-net connections where I have static assignments on both
ends I always use IPSec, (freeswan of course). I have lots of sites
using this and I havent had a problem in the three years I have been
running it.
For single users looking to connect to the mother ship I use two
solutions. For those unfortunate souls trapped on win systems, I
setup a pptp server for their use, (poptop). Though I think pptp is
pretty bad all said and done, it is standard or easily obtained for
most win systems, (besides, if quality software was such a priority
fot those users, they wouldn't be running windows systems).
For Linux folks, I go with vtun. I use this every day and have never
seen it burp. I have also used IPSec for this but as many folks must
traverse a NAT gw, the modified headers cause the remote gateway to
drop the AH packets, (their are patches to get the gw to not munge
these headers but lots of times I don't controll the gateway or it is
an appliance). Also the dynamics addressing has given me trouble.
When the address changes, the tunnel takes a little while to
reestablish, (about long enough for a user or client to becomes testy
and start hitting my cell).
> `- Debian - when you have better things to do than to fix a system
I always thought this was an *excellent* footer.
-jereme
--
+--------------------------------------------------------------+
Jereme Corrado <jereme@restorative-management.com>
System Administrator
Restorative Management Corp.
gpg: 1024D/9C39E1F0
Reply to: